2 Answers
2

It's a best practice to have the owner be whatever limited user account is used for uploading/managing the files on the server. The group is often the account that php is running under, so in this case apache would be correct. The other permissions should be set to nothing, as they are. You are close to perfect.

If you have a situation where multiple accounts may be modifying/editing the files you can creat a cron script that chowns the dir recursively every hour or so to maintain correct ownership. The same technique works to keep the permissions correct as well.

Also, you may want to modify the umask of the limited user account that has ownership to be inline with your permission scheme.

So would it be more secure to set the owner to a limited account e.g. "testuser" instead of root? Can you explain to me why this would be more secure? Thanks!
–
solsolFeb 10 '10 at 8:04

1

yes, you'll be better off setting these ownerships to someone other than root so you don't have to update them as root (or sudo). Create a webmaster on the server to own these files. I typically give my lead programmer of a project ownership of these files and put everyone else in the group.
–
Patrick RFeb 10 '10 at 14:01

These permissions are required for a web application to run because the apache user is not part of the group permissions. In that case, apache is considered everyone so you need to set permissions to allow everyone to interact with your website. An by everyone I don't mean everyone in the world (ie anonymous). I mean everyone one who is currently a user on your server (look in /etc/passwd to get a list).

Thanks for the tips guys. The application will be hosted on a dedicated machine, so no other users will have accounts but us to update the app when necessary. We want the server to be secure so is it a good idea to give apache Read/Write access to our files? I'm not a security expert - far from - but it sounds risky to give Apache full control over file or am I wrong?
–
solsolFeb 10 '10 at 8:02

1

if your application won't update any files (text,image, etc) on the server then all you'll need is read access rather than read/write. If you don't give apache read you'll get a 500 error. If apache won't be creating folders, don't give it rwx.
–
Patrick RFeb 10 '10 at 12:48

1

apache won't sneak any files onto your server unless it has ftp or ssh or your code let's someone upload files. If you don't allow the first two options and you code either doesn't allow someone else (through apache) to upload files or run you code in a way you hadn't planned, you'll be pretty secure. Note that I didn't say to make your files rwxrwxr--. I was talking about a directory when I listed that particular permission level.
–
Patrick RFeb 10 '10 at 12:53

thanks Patrick, we will have FTP on the server (to deploy new versions of the app) and users will be able to upload images with our application. We are checking for mime type there so that should be OK. So nobody can gain apache access otherwise and upload stuff?
–
solsolFeb 18 '10 at 11:38

Sorry for the super late reply. Apache is a user but doesn't have a password by default. Now you could go out of your way to make it so apache could log in via ftp or ssh but I imagine you haven't done that so you're probably safe. You've most definitely figured this out for now, just wanted to wrap up your open question.
–
Patrick RAug 12 '10 at 3:13